Executive Order Does Not End Privacy Shield, But Raises Questions

Among the executive orders signed by President Trump in his first week in office, the January 25, 2017 order entitled “Enhancing Public Safety in the Interior of the United States” appeared to remove the Privacy Act protections for personally identifiable information of persons who are not US citizens or lawful permanent residents. This raised alarms as to whether the president’s action would undermine the EU-U.S. Privacy Shield , a self-certification process by which personal data can be transferred from the European Union to the United States. This concern appears to be unfounded, for the reasons discussed here, but a continued monitoring of executive actions is recommended as the Trump administration rolls out its policies that have an impact on cross-border data transfers and privacy rights.

The Executive Order

As we have previously discussed, increased surveillance and data collection by the US government appear likely under the Trump administration.[1] Within a few days in office, on January 25, 2017, President Trump signed an executive order entitled “Enhancing Public Safety in the Interior of the United States”[2] (the “Order”). Section 14 of the Order seeks to exclude persons who are not US citizens or lawful permanent residents from protections under the Privacy Act of 1974.[3] The section provides, in its entirety:

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

The Order Is Not Immediately Detrimental to the Privacy Shield

Initial reactions to the Order raised concerns that Section 14 could derail the EU-U.S. Privacy Shield, a program that allows for the transfer of personal data from the EU to private entities in the US,[4] because the Order would eliminate protections for personal data of EU citizens, which the Privacy Shield is designed to safeguard.[5] For several reasons, it appears that these concerns have been overstated.

First, executive orders do not have the same force of law as legislation passed by Congress. The president may use executive orders to direct actions or practices of the executive branch of the US government, including administrative agencies, but executive orders must work within laws enacted by Congress and cannot undo or contravene those laws. If individuals – citizens or non-citizens – are granted certain rights by statute, the executive branch is bound to follow the statute and cannot simply take away those rights. This is implicitly recognized in the Order, including Section 14, as actions are to be taken “to the extent consistent with” or “to the extent permitted by” applicable law.

Second, the Privacy Act does not provide protections for persons who are not citizens of the US or lawful permanent residents. The Privacy Act establishes certain requirements for the collection and maintenance of information about individuals, restricts disclosure of such information and grants certain rights, e.g., of access and amendment, to individuals regarding information about them.[6] However, the term “individual” is defined under the Privacy Act as “a citizen of the United States or an alien lawfully admitted for permanent residence.”[7] Thus non-citizens and persons who are not permanent legal residents are excluded by definition from those protections and rights under the Privacy Act. Admittedly, remedies established under the Privacy Act have been extended to EU citizens through the Judicial Redress Act of 2015 in order to implement the Privacy Shield.[8] The Order does not address the Judicial Redress Act and does not undo the availability of those remedies.

Third, the Privacy Shield is in large part directed toward private entities – corporations and other organizations subject to Federal Trade Commission jurisdiction. Companies may opt into the Privacy Shield by agreeing to adhere to a set of principles that ensure safeguards and proper treatment for personal data transferred from the EU, as well as means of redress available to individuals in the EU. The Order does not change obligations under the Privacy Shield for companies that have volunteered to participate in the program and comply with its data protection requirements. Companies that elected to join the Privacy Shield must continue to follow the Privacy Shield Framework in order to maintain its benefit as a means of transferring personal data from the EU to the US. In addition, private entities are not subject to the Privacy Act, which is directed to federal agencies.[9]

However, even if the Privacy Shield is not immediately affected by the Order, it is prudent to monitor executive actions moving forward to see how the Order is implemented, as well as any changes to agency interpretations of existing laws and US surveillance policies. Even if there is no immediate impact from such actions, there may be later effects. Since the Privacy Shield was adopted in August 2016, two legal challenges have been filed by privacy rights organizations, questioning whether the new Framework sufficiently protects the privacy rights of European citizens.[10] We expect that Section 14 will be cited in support of legal challenges to the Privacy Shield, along with any subsequent actions of the Trump administration that may be perceived to curb privacy protections.

What Does Section 14 Do?

Because persons who are not citizens or not permanent lawful residents of the US have never been protected by the Privacy Act, the practical effect of Section 14 is not clear.

If we step back and consider the Order more broadly, as a general matter it directs agencies to more forcefully and strictly enforce immigration laws against “removable aliens.”[11] In furtherance of this goal, the Order includes several provisions that require data gathering and reporting, with a particular focus on criminal and potentially criminal actions by aliens, as well as failures to enforce immigration laws.[12] Viewed in this context, one potential reading is that Section 14 may have been included to facilitate sharing such data among federal agencies.

European Commission Response

The European Commission (the “Commission”) has recognized that the Order does not immediately undermine the Privacy Shield. The Commission has provided the following statement:

We are aware of the executive order on public safety. The U.S. Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizen’s data is duly protected when transferred to the U.S.

In its statement, the Commission clarified that the Privacy Shield is implemented through the EU-U.S. Data Protection and Privacy Agreement (referred to as the “Umbrella Agreement”) and the Judicial Redress Act. The Commission also noted that the Privacy Shield “does not rely on the protections under the Privacy Act.”[13]

Although the Commission’s statement makes it clear that the Privacy Shield is not in imminent danger, it is also clear that stakeholders in the EU are not fully mollified. EU Justice Commissioner Vera Jourova has called for reassurance from the Trump administration and will seek meetings with Trump administration appointees to discuss this issue.[14] In addition, the Commission’s statement on the Order concludes on a cautious note: “We will continue to monitor the implementation of both instruments [the Umbrella Agreement and the Judicial Redress Act] and are following closely any changes in the U.S. that might have an effect on European’s data protection rights.”

Key Takeaways

The EU-U.S. Privacy Shield remains in effect.

However, for companies that are relying on the EU-U.S. Privacy Shield to transfer personal information from the European Union to the United States, it is recommended that US executive actions and legal challenges to the Privacy Shield Framework are monitored closely.

The Trump administration is expected to implement policies that further expand law enforcement powers to collect and use data, especially targeting non-US citizens.

Companies that handle personal information should review their data collection and handling policies and be ready to respond to such agency requests.